CN112511351A - Security situation prediction method and system based on MES identification data intercommunication system - Google Patents

Security situation prediction method and system based on MES identification data intercommunication system Download PDF

Info

Publication number
CN112511351A
CN112511351A CN202011388034.4A CN202011388034A CN112511351A CN 112511351 A CN112511351 A CN 112511351A CN 202011388034 A CN202011388034 A CN 202011388034A CN 112511351 A CN112511351 A CN 112511351A
Authority
CN
China
Prior art keywords
situation
threat
value
data
mes
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011388034.4A
Other languages
Chinese (zh)
Other versions
CN112511351B (en
Inventor
柴森春
王昭洋
李孟洋
崔灵果
李慧芳
姚分喜
张百海
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Technology BIT
Original Assignee
Beijing Institute of Technology BIT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Technology BIT filed Critical Beijing Institute of Technology BIT
Priority to CN202011388034.4A priority Critical patent/CN112511351B/en
Publication of CN112511351A publication Critical patent/CN112511351A/en
Application granted granted Critical
Publication of CN112511351B publication Critical patent/CN112511351B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/04Network management architectures or arrangements
    • H04L41/044Network management architectures or arrangements comprising hierarchical management structures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to a security situation prediction method and a security situation prediction system based on an MES identification data intercommunication system. The method comprises the steps of obtaining a security situation evaluation model of an MES identification data intercommunication system; extracting network security situation elements of each enterprise node in the enterprise node layer according to the security situation evaluation model; determining a situation threat value of each enterprise node according to the network security situation elements; according to the security situation assessment model, performing data fusion on the situation threat value of each enterprise node by adopting a strategy of fusion from bottom to top and layer to obtain an overall situation threat value of the MES identification data intercommunication system; and determining a predicted value of the overall situation threat according to the overall situation threat value in the set date and the autoregressive moving average model. The invention can accurately position the security loophole in the MES identification data intercommunication system and realize the security situation evaluation in the system, thereby helping security management personnel to make an effective protection scheme.

Description

Security situation prediction method and system based on MES identification data intercommunication system
Technical Field
The invention relates to the technical field of network security situation perception, in particular to a security situation prediction method and a security situation prediction system based on an MES identification data intercommunication system.
Background
A Manufacturing Execution System (MES) is a management information System facing the inter-vehicle layer between the upper planning management System and the lower industrial control. With the rapid development of industrial internet technology, an identification data intercommunication system facing MES is also proposed immediately. The application of the system can realize interconnection and intercommunication of different MES systems of a plurality of enterprises, form a unified standard and provide a more universal data interaction solution for the MES systems.
At present, network security technologies applied in the MES system generally include firewall technologies, intrusion detection technologies, encryption technologies, network security scanning technologies, and the like, and these security technologies can ensure the security of information to a certain extent. However, with the development of industrial internet technology and the specialization of hacking technology, the traditional defense system cannot meet the requirement of security protection of the MES identification data intercommunication system. Nowadays, network security situation awareness technology is becoming a key topic for technicians to research. The network security situation awareness technology is based on security big data, and security assessment and risk prediction are carried out on the whole system from the perspective of the system overall situation. Therefore, how to more comprehensively and accurately evaluate the security situation of the whole system in order to meet the requirement of security protection of the MES identification data intercommunication system is a problem to be solved urgently.
Disclosure of Invention
The invention aims to provide a security situation prediction method and a security situation prediction system based on an MES identification data intercommunication system, which can accurately position security holes in the MES identification data intercommunication system and realize security situation evaluation in the system, thereby helping security management personnel to make an effective protection scheme.
In order to achieve the purpose, the invention provides the following scheme:
a security situation prediction method based on an MES identification data intercommunication system comprises the following steps:
acquiring a security situation evaluation model of the MES identification data intercommunication system; the safety situation evaluation model is an integral framework of an MES identification data intercommunication system; the safety situation assessment model is respectively a root node layer, a top level node layer, a second level node layer and an enterprise node layer from top to bottom;
extracting network security situation elements of each enterprise node in the enterprise node layer according to the security situation evaluation model; the network security situation elements comprise: original alarm information and original flow data;
determining a situation threat value of each enterprise node according to the network security situation elements;
according to the security situation assessment model, performing data fusion on the situation threat value of each enterprise node by adopting a strategy of fusion from bottom to top and layer to obtain an overall situation threat value of the MES identification data intercommunication system;
determining a global situation threat prediction value according to the global situation threat value in a set date and the autoregressive moving average model; the set date is 30 days.
Optionally, the determining a situation threat value of each enterprise node according to the network security situation element specifically includes:
preprocessing the original alarm information; the preprocessing comprises data normalization and data clustering;
determining the proportion of the occurrence frequency of each attack type to the total occurrence frequency of the attacks according to the preprocessed original alarm information;
determining the threat level of each attack type by adopting a vulnerability scoring system according to the proportion of the occurrence frequency of each attack type to the total occurrence frequency of the attacks;
performing feature extraction on the original flow data to obtain features of the original flow data;
judging whether the original flow data is abnormal or not by utilizing a convolutional neural network according to the characteristics of the original flow data; if the original flow data is abnormal, the flow data is saved as a Boolean value 1, and if the original flow data is normal, the flow data is saved as a Boolean value 0; the convolutional neural network takes the characteristics of the original flow data as input and takes a judgment result as output; the judgment result is that the original flow data is normal or the original flow data is abnormal;
counting the number of hosts with abnormal original flow data;
and determining the situation threat value of each enterprise node according to the threat level of each attack type and the number of corresponding abnormal hosts of the original flow data.
Optionally, the performing data fusion on the situation threat value of each enterprise node by using a strategy of fusion from bottom to top and layer to layer according to the security situation assessment model to obtain the overall situation threat value of the MES identification data interworking system specifically includes:
acquiring the weight of each enterprise node;
performing data fusion on the situation threat values of all enterprise nodes corresponding to each secondary node in the secondary node layer according to corresponding weights to obtain the situation threat values of all nodes in the secondary node layer;
performing data fusion on the situation threat values of all secondary nodes corresponding to each top level node in the top level node layer to obtain the situation threat value of each top level node;
performing data fusion on the situation threat value of each top-level node to obtain the situation threat value of the root node layer; and the situation threat value of the root node layer is the whole situation threat value of the MES identification data intercommunication system.
Optionally, the determining a predicted value of the overall situation threat according to the overall situation threat value within the set date and the autoregressive moving average model further includes:
and feeding back the overall situation threat prediction value.
A security posture prediction system based on an MES identification data interworking system, comprising:
the security situation assessment model acquisition module is used for acquiring a security situation assessment model of the MES identification data intercommunication system; the safety situation evaluation model is an integral framework of an MES identification data intercommunication system; the safety situation assessment model is respectively a root node layer, a top level node layer, a second level node layer and an enterprise node layer from top to bottom;
the network security situation element determining module is used for extracting the network security situation elements of each enterprise node in the enterprise node layer according to the security situation evaluation model; the network security situation elements comprise: original alarm information and original flow data;
the situation threat value determining module is used for determining the situation threat value of each enterprise node according to the network security situation elements;
the overall situation threat value determining module is used for performing data fusion on the situation threat value of each enterprise node by adopting a strategy of fusion from bottom to top and layer to layer according to the security situation assessment model to obtain the overall situation threat value of the MES identification data intercommunication system;
the overall situation threat prediction value determining module is used for determining an overall situation threat prediction value according to the overall situation threat value in a set date and the autoregressive moving average model; the set date is 30 days.
Optionally, the situation threat value determining module specifically includes:
the preprocessing unit is used for preprocessing the original alarm information; the preprocessing comprises data normalization and data clustering;
the attack proportion determining unit is used for determining the proportion of the occurrence frequency of each attack type to the total number of attack occurrences according to the preprocessed original alarm information;
the threat level determining unit is used for determining the threat level of each attack type by adopting a vulnerability scoring system according to the proportion of the occurrence frequency of each attack type to the total occurrence frequency of the attacks;
the characteristic extraction unit is used for extracting the characteristics of the original flow data to obtain the characteristics of the original flow data;
the original flow data judging unit is used for judging whether the original flow data are abnormal or not by utilizing a convolutional neural network according to the characteristics of the original flow data; if the original flow data is abnormal, the flow data is saved as a Boolean value 1, and if the original flow data is normal, the flow data is saved as a Boolean value 0; the convolutional neural network takes the characteristics of the original flow data as input and takes a judgment result as output; the judgment result is that the original flow data is normal or the original flow data is abnormal;
the abnormal statistic unit is used for counting the number of abnormal hosts of the original flow data;
and the situation threat value determining unit is used for determining the situation threat value of each enterprise node according to the threat level of each attack type and the number of corresponding abnormal hosts of the original flow data.
Optionally, the overall situation threat value determining module specifically includes:
the weight acquisition unit of the enterprise node is used for acquiring the weight of each enterprise node;
the situation threat value determination unit of each node of the secondary node layer is used for performing data fusion on the situation threat values of all enterprise nodes corresponding to each secondary node in the secondary node layer according to corresponding weights to obtain the situation threat values of each node of the secondary node layer;
the situation threat value determination unit of the top level node is used for carrying out data fusion on the situation threat values of all the secondary nodes corresponding to each top level node in the top level node layer to obtain the situation threat value of each top level node;
the overall situation threat value determining unit is used for carrying out data fusion on the situation threat value of each top-level node to obtain a situation threat value of the root node layer; and the situation threat value of the root node layer is the whole situation threat value of the MES identification data intercommunication system.
Optionally, the method further includes:
and the feedback module is used for feeding back the overall situation threat prediction value.
According to the specific embodiment provided by the invention, the invention discloses the following technical effects:
according to the security situation prediction method and system based on the MES identification data intercommunication system, the situation threat value of each enterprise node is determined according to the network security situation elements, the security holes in the system are accurately positioned, the security situation in the system is evaluated, and therefore security management personnel are helped to make an effective protection scheme. And performing data fusion on the situation threat value of each enterprise node by adopting a strategy of fusion from bottom to top and layer to layer according to the security situation assessment model to obtain the overall situation threat value of the MES identification data intercommunication system. And the safety situation assessment of a plurality of enterprise nodes is realized at the same time, and the safety situation assessment speed of the whole MES identification data intercommunication system is accelerated.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without inventive exercise.
FIG. 1 is a schematic flow chart of a security situation prediction method based on an MES identification data interworking system according to the present invention;
FIG. 2 is a schematic structural diagram of a security situation prediction method based on an MES identification data interworking system according to the present invention;
FIG. 3 is a schematic diagram of a security situation assessment model of the MES tag data interworking system according to the present invention;
fig. 4 is a schematic structural diagram of a security situation prediction system based on an MES identification data interworking system according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention aims to provide a security situation prediction method and a security situation prediction system based on an MES identification data intercommunication system, which can accurately position security holes in the MES identification data intercommunication system and realize security situation evaluation in the system, thereby helping security management personnel to make an effective protection scheme.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
Fig. 1 is a schematic flow diagram of a security situation prediction method based on an MES identification data interworking system according to the present invention, fig. 2 is a schematic structural diagram of a security situation prediction method based on an MES identification data interworking system according to the present invention, and as shown in fig. 1 and fig. 2, a security situation prediction method based on an MES identification data interworking system includes:
s101, acquiring a security situation evaluation model of the MES identification data intercommunication system; the safety situation evaluation model is an integral framework of an MES identification data intercommunication system; the safety situation assessment model comprises a root node layer, a top level node layer, a second level node layer and an enterprise node layer from top to bottom.
S102, extracting network security situation elements of each enterprise node in the enterprise node layer according to the security situation evaluation model; the network security situation elements comprise: original alarm information and original flow data. The original alarm information is alarm information prompted by a safety protection system (such as a firewall or an intrusion detection system) existing in the MES system.
S103, determining the situation threat value of each enterprise node according to the network security situation elements.
S103 specifically comprises the following steps:
preprocessing the original alarm information; the preprocessing includes data normalization and data clustering.
And (4) carrying out normalization processing on the alarm information generated in the MES system of each enterprise by adopting a natural language processing method.
And inputting the normalized alarm information data by adopting a decision tree algorithm, gathering the data of the same attack type into one class, and finally outputting a plurality of data classes of different attack types.
And determining the proportion of the occurrence frequency of each attack type to the total occurrence frequency of the attacks according to the preprocessed original alarm information.
And determining the threat level of each attack type by adopting a vulnerability scoring system according to the proportion of the occurrence frequency of each attack type to the total occurrence frequency of the attacks.
And performing feature extraction on the original flow data to obtain the features of the original flow data. Specifically, an extraction tool CICFlowMeter is used for extracting features. The CIC-IDS-2018 intrusion detection data set trains the convolutional neural network.
Judging whether the original flow data is abnormal or not by utilizing a convolutional neural network according to the characteristics of the original flow data; if the original flow data is abnormal, the flow data is saved as a Boolean value 1, and if the original flow data is normal, the flow data is saved as a Boolean value 0; the convolutional neural network takes the characteristics of the original flow data as input and takes a judgment result as output; and the judgment result is that the original flow data is normal or the original flow data is abnormal.
And counting the number of abnormal hosts in the original flow data.
And determining the situation threat value of each enterprise node according to the threat level of each attack type and the number of corresponding abnormal hosts of the original flow data.
As a specific embodiment, determining a situation threat value of each enterprise node according to the network security situation element specifically includes:
step 1: collecting original alarm information: collecting original alarm information in an MES system of an enterprise node, wherein the original alarm information is alarm information prompted by a security protection system (such as a firewall or an intrusion detection system) existing in the MES system. Since the alarm information generated by different safety protection systems may be different, all the collected alarm information needs to be normalized. The information normalization processing process comprises the following steps: and 5 characteristic words are output by taking original alarm information generated in the system as input content and adopting a natural language processing method.
Defining the normalized alarm information format as xi={Type,SIP,SPort,DIP,DPort}。
Wherein i represents the serial number of the alarm information, Type represents the attack Type, SIP represents the IP of an intruder, SPort represents the port used by the intruder, DIP represents the IP of important sensitive data under attack, and DPort represents the port of important sensitive data under attack.
Step 2: alarm information clustering: the normalized alarm information may be divided into different data types according to attack types, so that data of the same attack type needs to be gathered into one type, and a plurality of data types of different attack types are generated. In the classification algorithm, the decision tree algorithm has the advantages of high speed and high accuracy, and in order to meet the real-time accuracy of safety protection, the decision tree method is adopted in the method for clustering the normalized alarm information.
And step 3: acquiring original flow data: the method comprises the steps of collecting flow information generated by each host in an enterprise node MES system in real time within one day by using a flow monitor in the system, taking the collected flow information as original data, extracting flow characteristics by using a flow characteristic extraction tool CICFlowMeter, and determining whether the flow is abnormal or not after outputting the flow information by a convolutional neural network (in the method, a CIC-IDS-2018 intrusion detection data set is used for training the convolutional neural network). If the flow data is abnormal, the flow data is saved as a boolean value 1, and if the flow data is normal, the flow data is saved as a boolean value 0.
And 4, step 4: single enterprise node network security posture assessment
And 5: defining P as a certain attack classThe number of pattern occurrences is a ratio of the number of occurrences of all attack types. And collecting clustered system alarm information generated in each day by taking the day as a time cycle. Counting the total times A of attack occurrence and the times B of attack types in the systemi. And then calculating the proportion P of the times of the certain attack type to the total times of the attack. The formula is as follows:
Figure BDA0002810325830000081
step 6: r is defined as the attack threat level. In the method, a CVSS (common vulnerability assessment system) is adopted to assess the attack threat level, and R is used for representing the threat degree of a certain attack type. The final score for the attack type is 10 max and 0 min. The loopholes with the scores of 7-10 are generally considered to be serious, the loopholes with the scores of 4-6.9 are middle-level loopholes, and the loopholes with the scores of 0-3.9 are low-level loopholes.
And 7: define N as an abnormal traffic condition. The abnormal flow condition in an MES system of a certain enterprise node in each day is counted, and the statistical formula is as follows:
Figure BDA0002810325830000082
f is the abnormal traffic condition in the MES system of the enterprise node. f is the abnormal traffic condition of each host in the MES system. When f is 0, the flow is normal; when f is 1, the flow rate is abnormal. n represents the number of hosts in the MES system.
And 8: and fusing safety situation elements. Fusing the security situation elements to obtain the threat degree e of a certain attack to an enterprise MES system in one day, and quantifying the threat degree as follows: e ═ P × R + F. The larger the value of e, the higher the threat level the MES system is exposed to.
As a specific embodiment, the security posture elements are fused to obtain a threat level e of a certain attack to an enterprise MES system in one day, and the threat level is quantized as: e ═ P × R + F. The larger the value of e, the higher the threat level the MES system is exposed to.
And S104, performing data fusion on the situation threat value of each enterprise node by adopting a bottom-to-top and layer-by-layer fusion strategy according to the security situation assessment model to obtain an overall situation threat value of the MES identification data intercommunication system.
S104, the weight of each enterprise node is obtained.
And performing data fusion on the situation threat values of all enterprise nodes corresponding to each secondary node in the secondary node layer according to the corresponding weights to obtain the situation threat values of all nodes in the secondary node layer.
And performing data fusion on the situation threat values of all secondary nodes corresponding to each top level node in the top level node layer to obtain the situation threat value of each top level node.
Performing data fusion on the situation threat value of each top-level node to obtain the situation threat value of the root node layer; and the situation threat value of the root node layer is the whole situation threat value of the MES identification data intercommunication system.
S105, determining a predicted value of the overall situation threat according to the overall situation threat value in a set date and the autoregressive moving average model; the set date is 30 days.
Finally, the threat degree e of an enterprise MES system is accumulated by each attack type, so that the security situation of the enterprise MES system in one day can be obtained and is expressed as follows:
Figure BDA0002810325830000091
e represents the security posture of the enterprise node MES system, E represents the threat level of a single attack to an enterprise MES system, and n represents the number of all attack types.
And (5) counting the network security situation of the whole system. And fusing the network security situation of the MES system of each enterprise node by setting the weight of the network security situation of each enterprise node to obtain the network security situation of each secondary node, and repeating the steps to obtain the network security situation of the whole system. The calculation formula is
Figure BDA0002810325830000101
S represents the network security situation of each upper node obtained after data fusion, G represents the network security situation of each node of the layer, and n represents the number of all nodes of the layer to which a certain upper node belongs. For example, in the process of obtaining the network security situation of each node in the second node layer by performing data fusion on the network security situation of each node in the enterprise node layer, the network security situation E of each node in the enterprise layer is used as the network security situation G of each node in the local layer, and the network security situation of each node in the second node layer obtained after the data fusion is the network security situation S of each node in the upper layer in the formula. And finally, mastering the network security situation value of the whole system in one day through upward fusion layer by layer.
In order to help the security manager comprehensively grasp the security posture of the system and make a corresponding coping strategy according to the security posture, S105 further includes:
and feeding back the overall situation threat prediction value.
Fig. 4 is a schematic structural diagram of a security situation prediction system based on an MES identification data interworking system provided by the present invention, and as shown in fig. 4, the security situation prediction system based on the MES identification data interworking system provided by the present invention includes: the system comprises a security situation assessment model obtaining module 401, a network security situation element determining module 402, a situation threat value determining module 403, an overall situation threat value determining module 404 and an overall situation threat prediction value determining module 405.
The security situation assessment model acquisition module 401 is configured to acquire a security situation assessment model of the MES identification data interworking system; the safety situation evaluation model is an integral framework of an MES identification data intercommunication system; the safety situation assessment model comprises a root node layer, a top level node layer, a second level node layer and an enterprise node layer from top to bottom.
The network security situation element determining module 402 is configured to extract a network security situation element of each enterprise node in the enterprise node layer according to the security situation evaluation model; the network security situation elements comprise: original alarm information and original flow data.
The situation threat value determination module 403 is configured to determine a situation threat value of each enterprise node according to the network security situation elements.
The overall situation threat value determining module 404 is configured to perform data fusion on the situation threat value of each enterprise node according to the security situation assessment model by using a bottom-to-top and layer-by-layer fusion strategy, so as to obtain an overall situation threat value of the MES identification data interworking system.
The overall situation threat prediction value determination module 405 is configured to determine an overall situation threat prediction value according to the overall situation threat value within a set date and the autoregressive moving average model; the set date is 30 days.
The situation threat value determination module 403 specifically includes: the system comprises a preprocessing unit, an attack proportion determining unit, a threat level determining unit, a feature extracting unit, an original flow data judging unit, an abnormal statistical unit and a situation threat value determining unit.
The preprocessing unit is used for preprocessing the original alarm information; the preprocessing includes data normalization and data clustering.
And the attack proportion determining unit is used for determining the proportion of the occurrence frequency of each attack type to the total number of attack occurrences according to the preprocessed original alarm information.
And the threat level determining unit is used for determining the threat level of each attack type by adopting a vulnerability scoring system according to the proportion of the occurrence frequency of each attack type to the total occurrence frequency of the attacks.
The characteristic extraction unit is used for extracting the characteristics of the original flow data to obtain the characteristics of the original flow data.
The original flow data judging unit is used for judging whether the original flow data are abnormal or not by utilizing a convolutional neural network according to the characteristics of the original flow data; if the original flow data is abnormal, the flow data is saved as a Boolean value 1, and if the original flow data is normal, the flow data is saved as a Boolean value 0; the convolutional neural network takes the characteristics of the original flow data as input and takes a judgment result as output; and the judgment result is that the original flow data is normal or the original flow data is abnormal.
The abnormal statistic unit is used for counting the number of abnormal hosts of the original flow data.
And the situation threat value determining unit is used for determining the situation threat value of each enterprise node according to the threat level of each attack type and the number of corresponding abnormal hosts of the original flow data.
The overall situation threat value determining module 404 specifically includes: the system comprises a weight obtaining unit of an enterprise node, a situation threat value determining unit of each node of a second-level node layer, a situation threat value determining unit of a top-level node and an overall situation threat value determining unit.
The weight acquiring unit of the enterprise node is used for acquiring the weight of each enterprise node.
And the situation threat value determination unit of each node of the secondary node layer is used for performing data fusion on the situation threat values of all enterprise nodes corresponding to each secondary node in the secondary node layer according to the corresponding weights to obtain the situation threat values of each node of the secondary node layer.
And the situation threat value determination unit of the top level node is used for performing data fusion on the situation threat values of all the secondary nodes corresponding to each top level node in the top level node layer to obtain the situation threat value of each top level node.
The overall situation threat value determining unit is used for carrying out data fusion on the situation threat value of each top-level node to obtain a situation threat value of the root node layer; and the situation threat value of the root node layer is the whole situation threat value of the MES identification data intercommunication system.
In order to help security management personnel to comprehensively master the security situation of the system and make corresponding coping strategies, the security situation prediction system based on the MES identification data intercommunication system provided by the invention further comprises: and a feedback module.
And the feedback module is used for feeding back the overall situation threat prediction value.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system disclosed by the embodiment, the description is relatively simple because the system corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description.
The principles and embodiments of the present invention have been described herein using specific examples, which are provided only to help understand the method and the core concept of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, the specific embodiments and the application range may be changed. In view of the above, the present disclosure should not be construed as limiting the invention.

Claims (8)

1. A security situation prediction method based on an MES identification data intercommunication system is characterized by comprising the following steps:
acquiring a security situation evaluation model of the MES identification data intercommunication system; the safety situation evaluation model is an integral framework of an MES identification data intercommunication system; the safety situation assessment model is respectively a root node layer, a top level node layer, a second level node layer and an enterprise node layer from top to bottom;
extracting network security situation elements of each enterprise node in the enterprise node layer according to the security situation evaluation model; the network security situation elements comprise: original alarm information and original flow data;
determining a situation threat value of each enterprise node according to the network security situation elements;
according to the security situation assessment model, performing data fusion on the situation threat value of each enterprise node by adopting a strategy of fusion from bottom to top and layer to obtain an overall situation threat value of the MES identification data intercommunication system;
determining a global situation threat prediction value according to the global situation threat value in a set date and the autoregressive moving average model; the set date is 30 days.
2. The method for predicting the security situation of the MES identification data interworking system according to claim 1, wherein the determining the threat value of the situation of each enterprise node according to the network security situation element specifically includes:
preprocessing the original alarm information; the preprocessing comprises data normalization and data clustering;
determining the proportion of the occurrence frequency of each attack type to the total occurrence frequency of the attacks according to the preprocessed original alarm information;
determining the threat level of each attack type by adopting a vulnerability scoring system according to the proportion of the occurrence frequency of each attack type to the total occurrence frequency of the attacks;
performing feature extraction on the original flow data to obtain features of the original flow data;
judging whether the original flow data is abnormal or not by utilizing a convolutional neural network according to the characteristics of the original flow data; if the original flow data is abnormal, the flow data is saved as a Boolean value 1, and if the original flow data is normal, the flow data is saved as a Boolean value 0; the convolutional neural network takes the characteristics of the original flow data as input and takes a judgment result as output; the judgment result is that the original flow data is normal or the original flow data is abnormal;
counting the number of hosts with abnormal original flow data;
and determining the situation threat value of each enterprise node according to the threat level of each attack type and the number of corresponding abnormal hosts of the original flow data.
3. The method for predicting the security situation of the MES identification data interworking system according to claim 1, wherein the data fusion of the situation threat value of each enterprise node is performed by using a bottom-up and layer-by-layer fusion strategy according to the security situation assessment model to obtain the overall situation threat value of the MES identification data interworking system, and specifically comprises:
acquiring the weight of each enterprise node;
performing data fusion on the situation threat values of all enterprise nodes corresponding to each secondary node in the secondary node layer according to corresponding weights to obtain the situation threat values of all nodes in the secondary node layer;
performing data fusion on the situation threat values of all secondary nodes corresponding to each top level node in the top level node layer to obtain the situation threat value of each top level node;
performing data fusion on the situation threat value of each top-level node to obtain the situation threat value of the root node layer; and the situation threat value of the root node layer is the whole situation threat value of the MES identification data intercommunication system.
4. The method as claimed in claim 1, wherein the determining a global situation threat prediction value according to the global situation threat value within a set date and the autoregressive moving average model further comprises:
and feeding back the overall situation threat prediction value.
5. A security posture prediction system based on an MES identification data interworking system, comprising:
the security situation assessment model acquisition module is used for acquiring a security situation assessment model of the MES identification data intercommunication system; the safety situation evaluation model is an integral framework of an MES identification data intercommunication system; the safety situation assessment model is respectively a root node layer, a top level node layer, a second level node layer and an enterprise node layer from top to bottom;
the network security situation element determining module is used for extracting the network security situation elements of each enterprise node in the enterprise node layer according to the security situation evaluation model; the network security situation elements comprise: original alarm information and original flow data;
the situation threat value determining module is used for determining the situation threat value of each enterprise node according to the network security situation elements;
the overall situation threat value determining module is used for performing data fusion on the situation threat value of each enterprise node by adopting a strategy of fusion from bottom to top and layer to layer according to the security situation assessment model to obtain the overall situation threat value of the MES identification data intercommunication system;
the overall situation threat prediction value determining module is used for determining an overall situation threat prediction value according to the overall situation threat value in a set date and the autoregressive moving average model; the set date is 30 days.
6. The MES-ID-data-intercommunication-system-based security situation prediction system according to claim 5, wherein the situation threat value determination module specifically comprises:
the preprocessing unit is used for preprocessing the original alarm information; the preprocessing comprises data normalization and data clustering;
the attack proportion determining unit is used for determining the proportion of the occurrence frequency of each attack type to the total number of attack occurrences according to the preprocessed original alarm information;
the threat level determining unit is used for determining the threat level of each attack type by adopting a vulnerability scoring system according to the proportion of the occurrence frequency of each attack type to the total occurrence frequency of the attacks;
the characteristic extraction unit is used for extracting the characteristics of the original flow data to obtain the characteristics of the original flow data;
the original flow data judging unit is used for judging whether the original flow data are abnormal or not by utilizing a convolutional neural network according to the characteristics of the original flow data; if the original flow data is abnormal, the flow data is saved as a Boolean value 1, and if the original flow data is normal, the flow data is saved as a Boolean value 0; the convolutional neural network takes the characteristics of the original flow data as input and takes a judgment result as output; the judgment result is that the original flow data is normal or the original flow data is abnormal;
the abnormal statistic unit is used for counting the number of abnormal hosts of the original flow data;
and the situation threat value determining unit is used for determining the situation threat value of each enterprise node according to the threat level of each attack type and the number of corresponding abnormal hosts of the original flow data.
7. The MES-ID-data-intercommunication-system-based security situation prediction system according to claim 5, wherein the overall situation threat value determination module specifically comprises:
the weight acquisition unit of the enterprise node is used for acquiring the weight of each enterprise node;
the situation threat value determination unit of each node of the secondary node layer is used for performing data fusion on the situation threat values of all enterprise nodes corresponding to each secondary node in the secondary node layer according to corresponding weights to obtain the situation threat values of each node of the secondary node layer;
the situation threat value determination unit of the top level node is used for carrying out data fusion on the situation threat values of all the secondary nodes corresponding to each top level node in the top level node layer to obtain the situation threat value of each top level node;
the overall situation threat value determining unit is used for carrying out data fusion on the situation threat value of each top-level node to obtain a situation threat value of the root node layer; and the situation threat value of the root node layer is the whole situation threat value of the MES identification data intercommunication system.
8. The MES-ID-data-interworking-system-based security posture prediction system of claim 5, further comprising:
and the feedback module is used for feeding back the overall situation threat prediction value.
CN202011388034.4A 2020-12-01 2020-12-01 Security situation prediction method and system based on MES identification data intercommunication system Active CN112511351B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011388034.4A CN112511351B (en) 2020-12-01 2020-12-01 Security situation prediction method and system based on MES identification data intercommunication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011388034.4A CN112511351B (en) 2020-12-01 2020-12-01 Security situation prediction method and system based on MES identification data intercommunication system

Publications (2)

Publication Number Publication Date
CN112511351A true CN112511351A (en) 2021-03-16
CN112511351B CN112511351B (en) 2021-11-09

Family

ID=74969203

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011388034.4A Active CN112511351B (en) 2020-12-01 2020-12-01 Security situation prediction method and system based on MES identification data intercommunication system

Country Status (1)

Country Link
CN (1) CN112511351B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113407687A (en) * 2021-06-04 2021-09-17 海南师范大学 Natural language processing equipment based on artificial intelligence
CN114615016A (en) * 2022-02-09 2022-06-10 广东能源集团科学技术研究院有限公司 Enterprise network security assessment method and device, mobile terminal and storage medium
CN114771107A (en) * 2022-06-22 2022-07-22 佛山豪德数控机械有限公司 Ink jet numbering machine system of distinguishable sign indicating number position for intelligent manufacturing production line
CN115242423A (en) * 2022-05-25 2022-10-25 中国交通信息科技集团有限公司 Industrial internet security situation display system

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104394015A (en) * 2014-11-13 2015-03-04 河南理工大学 Network security posture assessment method
CN107767015A (en) * 2017-09-05 2018-03-06 南京国际船舶设备配件有限公司 A kind of production system based on MES
CN108600155A (en) * 2018-03-07 2018-09-28 上海洺淀智能科技有限公司 A kind of convergence-level network security prevents the industrial control system invaded outside
CN109150868A (en) * 2018-08-10 2019-01-04 海南大学 network security situation evaluating method and device
US20190037012A1 (en) * 2016-04-01 2019-01-31 Innogy Innovation Gmbh Production System Controllable by Means of a Peer-to-Peer Application
CN109508848A (en) * 2018-08-08 2019-03-22 武汉理工光科股份有限公司 Enterprise's production safety risk assessment and management system
CN109547431A (en) * 2018-11-19 2019-03-29 国网河南省电力公司信息通信公司 A kind of network security situation evaluating method based on CS and improved BP
CN110673555A (en) * 2019-09-21 2020-01-10 苏州浪潮智能科技有限公司 Fault phenomenon abnormity early warning method and system based on MES system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104394015A (en) * 2014-11-13 2015-03-04 河南理工大学 Network security posture assessment method
US20190037012A1 (en) * 2016-04-01 2019-01-31 Innogy Innovation Gmbh Production System Controllable by Means of a Peer-to-Peer Application
CN107767015A (en) * 2017-09-05 2018-03-06 南京国际船舶设备配件有限公司 A kind of production system based on MES
CN108600155A (en) * 2018-03-07 2018-09-28 上海洺淀智能科技有限公司 A kind of convergence-level network security prevents the industrial control system invaded outside
CN109508848A (en) * 2018-08-08 2019-03-22 武汉理工光科股份有限公司 Enterprise's production safety risk assessment and management system
CN109150868A (en) * 2018-08-10 2019-01-04 海南大学 network security situation evaluating method and device
CN109547431A (en) * 2018-11-19 2019-03-29 国网河南省电力公司信息通信公司 A kind of network security situation evaluating method based on CS and improved BP
CN110673555A (en) * 2019-09-21 2020-01-10 苏州浪潮智能科技有限公司 Fault phenomenon abnormity early warning method and system based on MES system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
MAHYAR AZARMIPOUR;HAITHAM ELFAHAM;CASPAR GRIES;TOBIAS KLEINERT;U: ""A Service-based Architecture for the Interaction of Control and MES Systems in Industry 4.0 Environment"", 《2020 IEEE 18TH INTERNATIONAL CONFERENCE ON INDUSTRIAL INFORMATICS (INDIN)》 *
柴森春,张译霖,马宝罗: ""面向MES的工业互联网标识数据互通系统设计"", 《信息通信技术与政策》 *
邓勇杰: ""基于改进灰色理论的网络安全态势预测方法研究"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113407687A (en) * 2021-06-04 2021-09-17 海南师范大学 Natural language processing equipment based on artificial intelligence
CN113407687B (en) * 2021-06-04 2022-06-07 海南师范大学 Natural language processing equipment based on artificial intelligence
CN114615016A (en) * 2022-02-09 2022-06-10 广东能源集团科学技术研究院有限公司 Enterprise network security assessment method and device, mobile terminal and storage medium
CN114615016B (en) * 2022-02-09 2023-08-01 广东能源集团科学技术研究院有限公司 Enterprise network security assessment method and device, mobile terminal and storage medium
CN115242423A (en) * 2022-05-25 2022-10-25 中国交通信息科技集团有限公司 Industrial internet security situation display system
CN114771107A (en) * 2022-06-22 2022-07-22 佛山豪德数控机械有限公司 Ink jet numbering machine system of distinguishable sign indicating number position for intelligent manufacturing production line

Also Published As

Publication number Publication date
CN112511351B (en) 2021-11-09

Similar Documents

Publication Publication Date Title
CN112511351B (en) Security situation prediction method and system based on MES identification data intercommunication system
CN102098180B (en) Network security situational awareness method
CN110351244A (en) A kind of network inbreak detection method and system based on multireel product neural network fusion
CN107528832A (en) Baseline structure and the unknown anomaly detection method of a kind of system-oriented daily record
EP2936772B1 (en) Network security management
CN106973038A (en) Network inbreak detection method based on genetic algorithm over-sampling SVMs
CN109344617A (en) A kind of Internet of Things assets security portrait method and system
KR101692982B1 (en) Automatic access control system of detecting threat using log analysis and automatic feature learning
CN112560029A (en) Website content monitoring and automatic response protection method based on intelligent analysis technology
CN115987615A (en) Network behavior safety early warning method and system
Qu et al. A network security situation evaluation method based on DS evidence theory
CN117375985A (en) Method and device for determining security risk index, storage medium and electronic device
CN115001934A (en) Industrial control safety risk analysis system and method
CN113709170A (en) Asset safe operation system, method and device
CN115396324A (en) Network security situation perception early warning processing system
CN112866278B (en) Computer network information safety protection system based on big data
CN115706669A (en) Network security situation prediction method and system
CN115442159B (en) Household routing-based risk management and control method, system and storage medium
CN117040664A (en) Computer system detection method based on network operation safety
CN112528325B (en) Data information security processing method and system
CN115659351B (en) Information security analysis method, system and equipment based on big data office
CN116545679A (en) Industrial situation security basic framework and network attack behavior feature analysis method
Salazar et al. Monitoring approaches for security and safety analysis: application to a load position system
Abouabdalla et al. False positive reduction in intrusion detection system: A survey
Protic et al. WK-FNN design for detection of anomalies in the computer network traffic

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant